CESG Announces the Withdrawal of the IS1 & 2 Technical Threat Assessment

2 minute read

This post has been archived

At its IA Practitioners conference a few weeks ago, CESG announced that the IS1 & 2 would be withdrawn; but what will this mean to HMG Departments and Non-Departmental Public Bodies (NDPBs), and businesses and organisations delivering ICT or supporting its accreditation in the Public Sector? Since 2008 the HMG IS1 has been the go-to framework for conducting assessments of the threat and risk for HMG ICT systems, however the standard is to be withdrawn at the end of this month. There have been any number of theories as to why this may be, and high on that list is that CESG see the current framework as a handle-turning exercise which if not considered fully could result in threats and risks not being identified. So as the mid-night bells fade on New Year’s Day, so will this Information Assurance Standard. IS1 is Dead … Long Live ISO/IEC27005 Well not quite, but the last rites are being read and the coffin maker has taken his measurements. As of 1 January 2015 HMG Departments and NDPBs will no longer need to conduct an IS1 & 2 to support ICT system accreditation. In practice nothing will change, an formal assessment will still need to be conducted, and it must be against a recognised framework. The selection of the framework is at this stage, to be left to the respective organisation or accreditation authority. However with a wide range of standards in use across Industry, will this result in a different framework for each organisation? Unlikely. Thankfully in making the announcement CESG identified the ISO/IEC 27005, therefore it may be safe to assume that information security training and service providers will have a bumper period in the first quarter of the new year. Not necessarily, as an assessment’s life-span is set at the time of accreditation/re-accreditation by the accreditation authority it may be that there will be no need to conduct an assessment until the middle, or latter part of next year; or indeed if the accreditor has set a life span of more than 12 months, it may not be until 2016 or beyond. However I would recommend that HMG Departments, NDPBs and private sector suppliers/service providers get ahead of the game, by contacting their respective accreditation authority and begin a dialogue with regards when a new assessment will be expected – and just as important, what framework the assessment should be carried out against.

Updated: